A mother took a picture of her 4-year-old daughter and posted it on Instagram. The daughter was wearing a pair of Crocs sandals and the mother included #Crocs in the description. Crocs scraped the photo from Instagram and included it in a gallery of user-generated content on its website.

The fact that a child was featured in the image adds an additional level of complexity to the issue due to the Children’s Online Privacy Protection Act (COPPA). COPPA requires organizations to get parental permission to collect personally identifiable information (PII) on children under the age of 13.

Although I’m not an attorney, I became very familiar with the intricacies of the COPPA regulations when I consulted for Hasbro. In the end we decided to hold off on collecting email addresses from people under the age of 13 until we could put a reliable system in place to get consent.

My church publishes an email newsletter and its policy is never to use images of children without getting consent from parents. It makes it difficult to include group photos of the Christmas pageant (because we have to take the time to get explicit consent from the parent of every child in the picture) but we feel it’s the right thing to do. Side note: this policy was in place before I got there and seems to have been developed independently of any knowledge of COPPA.

So, is a picture of a child considered PII? Does a parent including a corporate hashtag in the description of an image constitute permission? These are questions for the Federal Trade Commission (FTC); when the Times reached out to them they declined to comment.

And what if the people in the image are 13 years of age or older and COPPA doesn’t apply? What if a picture of you, your family or your friends posted on social media is scraped for use by a brand without your explicit permission. Is that fair use? Under what conditions? How can the brand use it? For how long?

This is a relatively new issue for digital marketing and there are a lot of questions; but there are also parallels in the offline world.

For instance, years ago I took my nephews to a Washington Capitals Hockey game. We clinched the division championship at that game and they gave the people in our row a long banner to unroll and hold up to celebrate. Image my surprise when I got some marketing material in the mail months later and saw my nephew Tyler smiling back at me, holding the edge of that banner in a picture from that night.

I was surprised, but not upset. We’re both big Capitals fans, so we kind of got a kick out of it. Also, I know that event tickets include legal language giving the venue and/or the team permission to use your image should they take a picture of you while you’re attending.

But scraping images from social media seems different. It’s one thing if the picture is specifically submitted to a brand as user-generated content. But it’s another if the picture is posted on a personal social media profile.

This is one of those areas where marketing has the potential to get creepy.

And while laws will help, smart brands use the law as a bare minimum standard for behavior. Smart brands ask whether this is something that will delight prospects and customers — or whether they will find it creepy and intrusive. And if it’s the latter, they don’t do it, even if it’s legal.

In the statement I quoted at the beginning of the article Crocs went on to say “It’s our policy to get permission before making any other use of photos consumers have tagged us in.” It appears that in this instance this policy wasn’t followed. Stuff happens. But brands which push ahead with creepy marketing practices and don’t think about how their customers will view it — that’s bad marketing and it hurts the entire industry.